Hacker News new | past | comments | ask | show | jobs | submit login
[dupe] Ex-Mozilla CTO: I was grilled for three hours at US airport by border cops (theregister.co.uk)
594 points by vb6lives 49 days ago | hide | past | web | favorite | 360 comments

Quick reminder: US citizens have an absolute right to reenter the country. Customs can temporarily detain you, but they cannot refuse entry. Any threat, whether implied or stated, that they will hold you until you unlock your device is not real. They can hold your stuff indefinitely, so be prepared to lose it if you go this route, but never unlock your device based on the idea that it’s the only way to go free.

Non-citizens are in a totally different boat. You can be denied entry for any reason whatsoever. Tread carefully....

Quick reminder: Non US citizens only go to conferences outside the US. There is no excuse we should put up with this. Canada and EU are much better locations for this reason alone.

It scares me the number of people who think that the US is in some uniquely bad place for some issue, not because of "whataboutism" but because of the blindness it can entail and skewed perceptions of all sides. No, it's not a dystopia in the US, but a wonderland paradise everywhere else. There's plenty of places that treat various people badly.

Agreed. I'm European and it astonishes me how a wall at the border is so divisive, with some even calling it un-American, and in the EU there are essentially no legal ways for refugees to enter at all (we've made it practically impossible to fly) and children die by the boat loads in the Mediterranean, yet we Europeans think we are in a position to judge the US.

Astonishing is the word.

Countries often have reciprocal arrangements regarding how they treat each other's citizens. If your country treats country X's citizens like crap, odds are country X will start treating your country's citizens like crap too.

Because of this, it's likely that the world will likely spiral to worse and worse treatment of everyone. As the saying goes, an eye for an eye and soon the whole world is blind.

This is why Brazil now fingerprints travellers from the USA and not from anywhere else.

Yup! Not sure why Canada gets to slip under the radar on things like this. They are demanding access to devices as well.

“On the other hand, we’ve got very recent case law from the Supreme Court of Canada, starting in about 2010, that says you’ve got an intense amount of privacy in your electronic devices."

If he went all the way up to the supreme court instead of taking the plea deal, the story might have gone the other way.

Well if CBSA continues with this practice I hope it ends up with a lawsuit and gets shut down by the supreme court.

Given their reported membership in the Five Eyes, I don't see NZ as a place to be. https://en.wikipedia.org/wiki/Five_Eyes

In the past several years, I’ve entered 6 countries as a US citizen. Only Canada has demanded access to my phone.

Another anecdotal point, in the past few years I've entered the US a dozen times, China, SA, Australia, Canada and some European countries outside my native France, and I've never been asked to unlock my phone once. I always get the fingerprint treatment at LAX though.

Getting fingerprint is supposed to be a standard procedure.

I was asked to unlock my phone trying to get to Canada as a US citizen too.

What are they even trying to find on your phone?

Evidence that you're coming to Canada to stay and perhaps work, rather than visit temporarily.

Interesting. When they ask my occupation I say that I’m a small business owner in the software industry. Is that a high risk occupation for unauthorized work in Canada?

Are these kinda searches that common?

Also, don't fly through the US to get to that conference in Canada.

Is it a risk if you stay in the airport, in the secure zone? (Whatever it's called...I've flown rarely over the past couple of decades.)

Yes, on a flight to and from New Zealand with a refuel/crew change in LA I was fingerprinted, retina scanned and asked about my personal business despite being held in the "secure" zone.

This was 2005 so they didn't have such a hard-on for electronic devices back then. Seeing as the US has upped its game quite a bit since then, the likelihood of me ever visiting the US is now zero. Sorry my fellow US HN'rs.

And you know it's such a shame because I had a trip to Boston in November 2002, and even with it being only just over a year since 9/11, my passage through customs was friction-less and the staff were delighted that we'd come to visit the US. No fingerprints, no eyeball scanning, no interrogation, just a friendly "business or pleasure, and enjoy your stay".

If you're not being hassled in EU airports, it's because they already have your information. Not whataboutism, but most EU states and all the powerful ones have active, conservative intelligence and police that work closely with the United States and give them any information they want. Stay safe.

It's not just 5 countries: https://en.wikipedia.org/wiki/Five_Eyes

All flights that stop in the USA require all passengers to clear customs before continuing their journey.

I had no idea, thank you.

This is often called "sterile transit" (the ability to depart the airport without passing through immigration), and the U.S. and Mexico (and apparently Canada) don't allow this, while generally European and Asian countries do.


No EU airport allows this for flights from outside the EU/Schengen zone. Every international airport has dedicated "EU internal" and "all other" terminal pathways for this reason.

Yes, they do. Unless I misinterpreted your comment, connection flights from outside EU to US/Canada don’t require the Schengen visa as passengers don’t leave the “clean” zone.

I've had to go through security and immigration when flying through Dublin and Seoul. So I don't think you can exempt Europe and Asia from the list.

Were you flying to or from somewhere else in Europe in the Dublin case? A subtlety about this which has just come up elsewhere in this thread is that the whole Schengen Area is treated as a single "country" for immigration purposes, so if you have an intra-European flight, you have to enter or exit "Europe" in the course of a transfer to or from an external flight.

But I think if you fly, for example, from New York to Paris and then on to Tunis, you don't have to go through immigration controls in Paris.

I was flying from Seattle to Rome with a connecting flight in Dublin. In both Rome and Dublin I had to go through immigration (that is, present my passport) and in Dublin I had my carry on X-rayed again. Upon arrival in Rome, after clearing immigration I had to go through customs, which is to say I walked out the "Nothing to Declare" portal.

Oh, I just remembered that Ireland isn't in the Schengen Area (due to the Common Travel Area with the UK). So you wouldn't have a domestic-style flight from Ireland to Italy. But your experience then does seem to confirm that Dublin doesn't offer sterile transit at all, which is a bit of a surprise to me.

The US forces you to clear customs regardless of your final destination (transfers included).

There is no transit visa to the US. Everyone landing goes through customs and immigration regardless of whether you are connecting to another flight.

Yes the secure zone is even more risky in my opinion.

Canada is not exactly welcoming to visitor. Particularly visitors that may have a mark on their background check from any number of years ago. Good luck getting in at all -- its becoming a common mention in hip hop lyrics even.

>Canada is not exactly welcoming to visitor. Particularly visitors that may have a mark on their background check from any number of years ago.

Not a bug, working as intended. Entering a country that you aren't a citizen of isn't some inalienable human right, especially if you're a convicted criminal.

By that same token there is no reason to complain about how difficult it can be to enter the U.S. for certain individuals -- or working as intended as you call it. I also find it a bit disturbing how easily you apply law & order in the name of a country that was not involved in deciding the validity of that decision or the circumstances behind it.

>By that same token there is no reason to complain about how difficult it can be to enter the U.S. for certain individuals

Well, yeah, entering the US as a non-citizen is a privilege granted at the discretion of the US federal government. Border control is an essential function of a sovereign state.

>I also find it a bit disturbing how easily you apply law & order in the name of a country that was not involved in deciding the validity of that decision or the circumstances behind it.

It's disturbing to not want criminal elements freely entering your country? If they're a not refugee and they can't follow the law in their country of origin, why should any other country be obligated to let them in?

Let me put things into perspective for you. Cops raided the wrong house (battering ram and everything) which happened to be where I lived. They ripped up floor boards and broken holes in the wall -- they found $300 worth of personal weed. So they confiscated everything I own because it could possibly be related to drug money. I'm also incarcerated without the ability to post bail (because cops just took everything). I wasn't granted personal recognizance bond, it was $50,000 -- my family takes this as a sign that I must be guilty of whatever they say so I have no access to money for bail or for a lawyer. So I did my own case work while I sat in jail for 3 months, got a different judge to finally give me a personal recognizance bond, pick apart the prosecutor and detective at later hearings/motions, and finally leading up to the day before a jury trial (for two felony charges). I was offered a better plea and took it -- everything leading up to this point was so fucking asinine that despite all the headway I made I could not trust I would not spend years in prison. Its quite clear they did not want to look like idiots after getting a warrant and executing it in force based entirely on some 17 year old kid told them while being interrogated himself.

I'm only a criminal to someone like you.

You can't plead guilty to (what sounds like) a trafficking charge and then claim to be innocent and expect to be freely admitted to other countries. Canada has no way of knowing you're innocent so your logic is that they should just let you in anyways? I think countries have very good reasons to keep people with drug convictions from entering regardless of whether or not you believe drugs should be decriminalized or legal.

> I think countries have very good reasons to keep people with drug convictions from entering regardless of whether or not you believe drugs should be decriminalized or legal.

What you are really saying is that you think countries have very good reasons to keep people that are not well off from entering. People that are well off would/do not have the same legal outcomes, and thus your measurement of law-abiding is not reasonable.

>What you are really saying is that you think countries have very good reasons to keep people that are not well off from entering.

Well, yes. As far as immigration goes, the policy of most non-US western countries is primarily merit-based or if you have money to invest in the country. If you aren't educated and productive and you're not a legitimate refugee, why should a country let you in? How does the country benefit?

Canada has a generous welfare system and social safety net that that would likely be unsustainable if it let in sufficient number of people unable to support their own benefits. Even if you hold the view that drug use ought to be a public health matter and not a criminal matter, there's a limited amount of immigration that can be sustained without overburdening these services and why let in a drug user when you can let in a doctor or engineer?

In the case of tourism, it's just about limiting risk of someone overstaying their visa.

> Well, yes. As far as immigration goes, the policy of most non-US western countries is primarily merit-based or if you have money to invest in the country. If you aren't educated and productive and you're not a legitimate refugee, why should a country let you in? How does the country benefit?

I make well into six figures as an engineer and cannot make legitimate business trips to Canada even when the company lawyer has appealed for my entry, complete with compiling a report with ample evidence of merit. It is a naive view to think that entry is merit based when I'm being denied entry based solely on the fact that I was once a teenager that was discovered to be around weed once.

> In the case of tourism, it's just about limiting risk of someone overstaying their visa.

Then why do so many performance artists have to cancel Canadian stops when they are not allowed entry? Are they really scared a platinum artist is going to become a drain on their society? That quite obviously has nothing to do with it.

Pretty much any country does this. Unless you're a citizen of that country, you have no right to enter it and should be on your best behavior at all times, and they can decline you for any reason they feel like, justified or not.

I've been all across the world. I've been turned away from Canada twice (every occasion) over some weed 15 years ago. No other country cares unless you are applying for a long term visa or something. I even tried applying for the right to visit and was turned down (again, over weed).

Americans who have concealed carry permits on their person when entering Canada will have their vehicle searched with a fine toothed comb.

That’s actually pretty reasonable. I don’t think anyone reasonable thinks Canada doesn’t have the right to enforce their firearm laws at their border.

I agree that no one who is reasonable thinks that Americans who travel to Canada get to exercise the rights they hold as Americans in America. But is having a concealed carry permit in your wallet a reasonable indication that you have a gun on your person or in your vehicle? Statistically, in the US, CC permit holders are the most law abiding group in the country.

Let’s imagine, hypothetically, that a visitor came to the US and had a permit from their country of origin allowing them to own and travel with slaves. Would border patrol be justified in giving them extra scrutiny to see if they might have one with them?

Well, no?

Assuming by default that somebody would break the law, just because you politically disagree with them, is not justified. As said above, CC holders are among the most law-abiding citizens (this is true in my country too). They're aware of the laws governing their permit and assuming by default that they'd break other countries' laws is preposterous. You don't just forget that you're carrying when you travel abroad or by airplane. And you sure as hell don't do something as idiotic as that, with the accompanying consequences, intentionally.

It’s not about political disagreement. It’s about having a permit for something that’s not allowed to transit the border. Assuming nefarious intent by default is, for better or worse, how border controls operate almost everywhere for almost everyone. You have to demonstrate that you’re OK to enter, they don’t have to demonstrate that you’re not.

As far as forgetting that you’re carrying, numerous examples say otherwise. Random data point: the TSA confiscated over 4,000 guns last year, of which I imagine approximately 100% were inadvertently packed by innocent people. Whether it’s intentional is immaterial; Canada doesn’t want guns crossing the border, and they couldn’t care less if you’re doing it by accident.

But having a CC permit is an announcement that you own firearms, and you’re in the habit of carrying them on your person. It makes sense to check this person for firearms, even if to make sure they didn’t accidentally bring one out of habit.

> Americans who have concealed carry permits on their person when entering Canada will have their vehicle searched with a fine toothed comb.

If the Canadian border authorities are searching your person, such that they are likely to notice something like a concealed carry permit, your border crossing has already gone south.

Alternatively, prefer to avoid bringing your own devices with you when you fly. Leave your laptop and smartphone at home, and rent temporary ones after you cross.

Better, have a secure server at home and ansible playbooks to set up laptops (including getting any minor secrets that you need onto that laptop. Restrict more important stuff to just ssh).

If your threat model doesn't include physical tampering/rootkits, just wipe your devices pre-travel and set it up when you get where you're going. If it does and you can afford to mitigate that risk, arrange to have cheap new devices at your destination and travel with nothing.

If you're going that route, why not just create a disk image and scp it from your server? Certainly a lot easier than trying to rebuild everything from scratch.

actually I'd find running my ansible playbook much, much easier than transferring GB of disk image about. I maintain the playbook so that I can keep work laptop and personal laptop in sync. Although I am looking at Nixos as a possible replacement.

An ansible playbook gives you much more flexibility to get to the same place. The one I run takes a mere 3-5 minutes to run (typically) regardless of where I am in the world.

Would work if you trusted that the devices weren't tampered during inspection. Why would I put my keys on something which might've been wiretapped? If you really need to compute whilst traveling or through the states, just buy something cheap whilst you're there.

I literally suggested that if you read my comment.

Nah , just backup and then wipe all your devices and then restore them after customs. (Kevin mitnick does this).

Or, perhaps he says that but has two passwords, one that decrypts and runs an OS and one that presents as if no OS is installed?

They can seize your stuff so your workaround won’t work when they pass it to their tech team for forensics. Also, if they find something now they have you lying to customs.

It seems (ha!) possible to design the logic for such a system with deniability, like the system has to use the second/third/fourth password to attempt decryption before you know if the padding is encrypted or random noise [if the specific encryption has a signature then each install could encrypt the empty space with a few keys taken from urandom].

First password accesses clean files, second one accesses dummy [legal!] fetish porn collection ... do border guards hold you to get a third password?

An analogue analogue might be: I have a book full of "random alphanum text", I have two (or more) one-time pads for decryption of portions of the book, I also know the page/line the actual cyphertext starts at. The rest of the text in the book is random quotations encrypted using a selection of further random one-time pads. Can forensics find that there is a "hidden" n+1 plaintext when I give them the n pads and starting points? Seems impossible??

You still are now attempting to deceive a government official. Also, you are assuming that the technician assigned to you wouldn't be able to figure this out.

Also, sweating you out in holding is probably more effective than you realize.

How do you find a rented laptop trustworthy?

Although it may not be morally ok, one could just buy a laptop for a conference etc, and then return it after a week if the store has a return policy. I've seen stores take back laptops no questions asked for up to 60 days.

If you are in a pinch.

If not you can just sell it (there or at home) and take the loss as a rental fee.

Why wouldn't a rented laptop be trustworthy?

Because it's someone else's hardware, someone else's software, and someone else's firmware.

To be pedantic, unless you flashed coreboot it's not your own firmware and if you aren't using an open hardware laptop then it's not really your hardware either.

But you can have a bit more trust in the supply chain to get to you than that it hasn't been tampered with afterwards.

Could you give us a set of countries whose customs agencies cannot refuse entry to non-residents, for any reason whatsoever, including no reason?

I have a feeling that is an empty set.

Under the terms of the UN Treaty there are actually certain non-residents that the US cannot refuse visas and entrance to.

I don’t think this so great for non us citizens working in the USA because they have to go in and out and can just as well be denied entry. For someone like that who made his life in the USA and has family here, going to conferences outside the USA is potentially much worse and riskier than say a German resident and citizen getting denied travel into the USA for a number of years.

This is not remotely unique to the U.S.

No it's not but this kind of issue tends to happen more frequently in the US.

Honest question: do you know where I can find the data to support that?

There's not going to be any data, border agencies are as non-transparent as you can get.


Yes, or as we used to call it back in the day "empirically".

Plus, it doesn't matter if it happens as much or more in some backwater third world country.

It's already enough of a problem that among first world countries the US is quite a pain in the ass airport control.

Heck, it's enough of a problem that it feels like a pain in the ass. It wont be less of a problem if per capita e.g. Belgium or Albania are worse...

There isn't data on this. This incident likely wasn't logged in any way. CBP is a rogue agency and the least transparent. They don't respond to FOIA anymore either.

Quick reminder: Without a true Bill of Rights, your rights, as much you might think they are secure, are virtual at best.

The same is true with a Bill of Rights.

The government does what the government wants. If you're lucky, later a different part of the government will apologize.

A bill of rights may reduce the odds that those enumerated rights are denied to you, but it cannot prevent it.

Maybe they're just trying to make flying so annoying people don't do it, to help with global warming. Just video conference, easier, faster, better for not drowning.


> This is a shockingly unamerican sentiment to hear

So feeling fear when surrounded by 3 armed guards is "unamerican"?

My questions are why were there 3 in the first place, and why were they armed? Surely that kind of "show of force" could only be justified in response to a credible threat?

If I had to guess what OP is trying to say, what is "american", is that maybe you should have been afraid of the government before it got to this point. Which means it's possible to be better prepared by knowing your rights.

> Surely that kind of "show of force" could only be justified in response to a credible threat?

Justified, of course not, but have you ever encountered bored cops, or bullies? No matter where you go, there are always corrupt individuals, and unfortunately some of them are in positions of authority.

> their a basic and necessary element of free societies


> It used to take months, weeks, or at least days.

Sure. Many things were different in the past. For example: hysterical and paranoid border patrol personnel didn't use to be the norm.

What if I don’t support or defend the Second Amendment? Does that make me unamerican? Should I renounce my citizenship?

I'm not even sure how someone could support or oppose the second amendment. It really doesn't say much (anything?) about personal gun ownership. What people are arguing over is the interpretations through caselaw trying to figure out what this rather ambiguous segment of text was trying to say.

The Supreme Court first ruled in 2008[1] that the right to personal ownership of guns is a valid reading of the 2nd Amendment (devoid of any military/militia purpose -- a departure from previous Supreme Court decisions).

While it is correct to argue that Supreme Court decisions are "case law", the Supreme Court is the final appellate court in the US -- so the only way to change their decision would be through a constitutional amendment.

So, opposing the second amendment is the only way to effectively oppose the rulings related to it (assuming that's what you want to oppose).

[1]: https://en.wikipedia.org/wiki/District_of_Columbia_v._Heller

It would be more accurate to say advocating for a different interpretation of the second amendment. At times, some do advocate for the repeal of an amendment as well, and in that case the "opposed to x amendment" verbiage seems a bit more appropriate. There have been a few groups calling for constitutional conventions in the past few years and I think there are some examples of this there. I don't think actually repealing the second amendment has ever been a remotely mainstream idea in the United States.

> While it is correct to argue that Supreme Court decisions are "case law", the Supreme Court is the final appellate court in the US -- so the only way to change their decision would be through a constitutional amendment.

The supreme court does change their mind about things, as the Heller decision demonstrates.

> The supreme court does change their mind about things, as the Heller decision demonstrates.

Heller was not a change of mind by the supreme court (it ruled on a different matter to previous rulings -- which had explicitly skirted around the problem of civilian ownership of weapons outside of a military context).

However, even if it were a change of mind -- the supreme court changing its rulings is an incredibly rare event because such events question the finality and authority of their decisions.

Hence why I said "the only way to change their decision would be through a constitutional amendment" -- because waiting for the supreme court to change their mind about it (while technically possible and sometimes the case) is hardly a useful policy position for a political argument.

Did you swear an oath to uphold the constitution? If so, it is your duty to allow others to exercise their 2nd amendment rights.


Then nobody cares if you support or defend the Second Amendment in terms of your being a "true american" or whatever.

The person I replied to originally seemed to be implying that this was somehow a requirement, hence my question.

> but never unlock your device based on the idea that it’s the only way to go free.

Best to enter the customs zone with the phone powered off, your device's security is likely better in this state, less likely to be circumvented while you surrender it.

Good advice!

Things like mobile boarding passes and the "Mobile Passport" app encourage and train people to hand their devices over to TSA and CBP personnel. In that later case, unlocked and with an app CBP/DHS controls already installed (with a lengthy ToS no one ever reads).

On a related note, car rental places now email me the contract and rental documents by default, I receive no paperwork unless I remember to ask. The problem didn't register with me right away (It was so similar to what hotels do when you travel, all paperless now) but the last time I returned the car I asked them what I was supposed to do if I was stopped for a traffic violation. "You can open the email from us on your phone and give it to the officer" they suggested. I recommend everyone ask for a printed contract instead.

As an aside, on iOS, the airline apps I have used work like the Wallet app and are visible on the lock-screen, the device must be powered on but remains locked when you display your boarding pass, etc.

I’ve been using mobile boarding passes exclusively for the past few years and it doesn’t even remotely work in the way you describe (within the US, at least; cannot comment on CBP).

1. There is no special app you need for mobile boarding passes. It has always been either a PDF or a PNG file emailed to you.

2. I was never asked to hand over my phone to TSA agents at any point. They just ask you to put your phone with the boarding pass QR code displayed over a QR scanner. At no point the phone leaves your hands.

Mobile Passport is different, and _does_ require a special app.

Also probably a good idea to delete all your 2FA entries you may have in Goog Authenticator on the phone. Or they may want to look into those accounts too.

Best to just wipe any device and restore from backup.

> They can hold your stuff indefinitely, so be prepared to lose it if you go this route

CBP do need reasonable suspicion to hold you belongings or do a forensic search of your computer (Cotterman 2013) - they can't just randomly take things on a whim. The longer they hold it, the higher standard required.

I strongly suspect that CBP's "strong suspicion" is equivalent to a HN poster's "whim." I'm not insulting either party, however when anything similar to this debate plays out, parties talk past each other on this sort of disagreement.

Reasonable suspicion is a legal standard that requires articulable facts, not a whim. Courts regularly hold that officers didn't obtain it.

For more: https://en.wikipedia.org/wiki/Reasonable_suspicion

I agree -- and apologies, I might not have made my point very well.

A different way to phrase it might be: The officers and the suspects disagree about what a reasonable suspicion might entail. Given the incentives, I don't think this is surprising.

I'll admit, my point in no way addresses yours -- how often are officers adhering the the specific legal standard?

For sure, I agree

I'm really not sure how often officers violate the standard; it wouldn't shock me if it were frequent

But when they do, courts will suppress the evidence, and anything that's obtained from knowledge gained in that search ("fruit of the poisoned tree").

I trust that mechanism. And think it's likely better held in the US than literally any other country (v open to evidence to the contrary though)

> But when they do, courts will suppress the evidence

Not if the violation was done in “good faith”:


Yes, thanks for the reference

"Reasonable suspicion" is a legal term. In this context, a CBP officer would need to have evidence that would lead a reasonable person to believe the item to be searched is illegal to bring into the country, or contains something that is illegal to bring into the country. A hunch is not sufficient; it requires objective evidence.

Reasonable suspicion is not required for every search at a border crossing, and the Federal circuit courts are split on whether it is required for a forensic examination of a mobile phone at a border crossing. The 9th circuit has jurisdiction in this case, and has ruled that it is required.

That only applies if the case goes to trial though. Border guards frequently assume that they have near unlimited power regardless of what the law says.

The fundamental problem is that there are rarely consequences for border guards exceeding or misusing their power. The incentives support them trying to exceed legal limits on their authority.

> Federal circuit courts are split on whether it is required for a forensic examination of a mobile phone at a border crossing

Did Cotterman 2013 clear this up? How does are circuit courts split yet the 9th assumed jurisdiction?

The 9th circuit has jurisdiction in this case because it happened in California. US v. Cotterman is the relevant case, and the 4th circuit made a similar ruling in US v. Kolsuz, but the 11th circuit held differently in US v. Touset.

So in some parts of the US, reasonable suspicion is required. In some parts, it isn't. In some parts, there is no binding precedent on the issue. It's likely that the supreme court will hear a case on the issue eventually.

Exept borders (and anything within 100 miles from it) are basically a zone where US Constitution does not apply. You can be detained and sent to Guantanamo for made up "terrirst threat" and there's no really a legal recourse.

Laws and precedent are one thing, but "law enforcement" behavior is another. You might indeed get your stuff back, but they can make it unreasonably difficult, expensive (in legal fees), or time consuming if they want.

Yes. The courts will suppress any evidence that's not gathered legally, but aside from that, officers' qualified immunity protects them from all but the most obvious infringements

Does refusing to unlock your devices trigger a reasonable suspicion?

(In Cotterman, it sounds like the Ninth Circuit said reasonable suspicion was required, but also decided on its own - despite it not being argued by the government - that an alert from a CBP database about Cotterman's previous conviction justified a search. Which seems reasonable to me, as a layperson, I thin.)

Officers need articulable facts for reasonable suspicion. Not consenting to a search is explicitly not grounds for reasonable suspicion here or in any other context

>Cotterman's previous conviction justified a search

...and there you have it: He's done something wrong in the past, so - of course - he must be doing something bad now - forever and always!

They can still take it, illegally, and then you have to spend thousands and weeks (and have to stay in the US for those weeks) suing them to get it back.

Or else? They get some slap of the wrist?

I don't think that will discourage them to call any whim "reasonable suspicion".

>Customs can temporarily detain you, but they cannot refuse entry

What's the definition of "temporarily" in this case?

"Justice delayed is justice denied." It's unlikely that it could exceed 24 hours and if it exceeded a couple of hours you could get a preliminary injunction (unfortunately of course you'd need counsel to know about the detention in order to act on your behalf).

As a practical matter, more senior officials at CBP should hopefully know about their limitations and if you request counsel and stay silent then they'd likely release you.

I would like to know too. I thought Obama's NDAA allowed indefinite detentions?

I can’t find a definitive answer (and one may not exist until an appropriate court case happens) but from what I do find, it’s some hours.

Paracha's detention might be unjust but it's only indirectly related to this thread. He is not a US citizen.

Not a US citizen, so not relevant.

mikeash was talking about US citizens; Paracha is Pakistani.

He's not a US citizen.

I am a US citizen. For many years I tried exercising this right while remaining silent.

I’ve been kicked out of a border control point in northern Vermont in February in a snowstorm after a four hour interrogation. (They sent the bus without me.)

I’ve been arrested and locked in a room for twelve hours with no food or water or medication.

I’ve been endlessly harassed and interrogated on other entries even when not exercising 5th amendment rights to silence.

In all cases they eventually let me go without charges.

They have to let you enter, but they don’t have to do it quickly or humanely.

What line of work are you in that makes this such a issue for you when you travel?

Makes what such an issue?

I also wouldn't answer any questions. If you're being detained and questioned by law enforcement, you have a right to have an attorney present. And to be charged with a crime within a certain timeframe, for that matter. If there's none of that, hey by golly you must not be under arrest and this isn't a legal proceeding. Answer every question by reminding them you're a US citizen. Maybe repeat your social security number dramatically as if you're a POW in the hands of a foreign power. (Certainly you're in the hands of some traitors against the USA, so it's not a huge stretch.)

Oh, and for non-citizens: I entered the US with a partner that was canadian, we both refused to unlock our phones. She was denied entry, but they strip searched and physically groped both of our genitals before being released. Simply not wanting to enter the US was insufficient; the only way we could leave the building was by letting the cops handle our genitals.

They will use every option available to them to punish you for disobeying their commands to unlock, even if you are not legally obligated to do so.

>Any threat, whether implied or stated, that they will hold you until you unlock your device is not real

Except the threat to put you on a "mess up with every time they fly" list.

I don’t understand why you’d quote me saying one type of threat isn’t real, then reply with “except...” and describe a totally different threat.

To point that while the threat that they'll hold you might not be real, they can still fuck you over in some ways...

> US citizens have an absolute right to reenter the country

Going to a prison somewhere in the US is 'reentry' I suppose.

Yes, but the rule of law in the US is mostly intact, so refusing to provide information or actively facilitate a search will not have that result. Lying to the officer can.

Yes, if they actually find probable cause to charge you with a crime, then they’ll let you enter but arrest you and put you in jail. Refusing to unlock your devices does not qualify, though.

Sure, but without a criminal charge there's the right of habeas corpus. (Provided you have someone who will get the legal process started for you, I guess.)

OP was talking about being forced to unlock devices.

Is there evidence of US citizens going to prison for the act of refusing to unlock a device at the border?

No, none that has been presented.

> They can hold your stuff indefinitely, so be prepared to lose it if you go this route, but never unlock your device based on the idea that it’s the only way to go free.

Wonder if you can sue them after for your property back.

Isn't the device lock easily defeatable on the computer?

Hold shift or some other key combination when you boot and it boots into the 'real' machine, the other OS is just a dummy with generic search history and data.

I would advise against this. It might work but there’s no guarantee, and by lying to customs you’ve transformed your situation from one where you might have to buy a new computer to one where you might be convicted of a crime.

Can they deny entry to a non citizen and hold their stuff?

I don't think there's any country in the world that doesn't reserve the right to deny entry to non-citizens for any reason they choose.

Perhaps I was unclear, I was asking if they can confiscate your stuff and send you back without it.

I'd think any such confiscation would be for a finite time only, but "finite" possibly encompassing a good portion of the useful life of an electronic device. The US can confiscate your kids and send you back without them. I doubt they'd draw the line at confiscating a phone.

> Customs can temporarily detain you, but they cannot refuse entry

Legal / Official Source please.

Nguyen v. I.N.S. stated that citizens are entitled “to the absolute right to enter its borders....” Some more info and references to cases here: https://fas.org/sgp/crs/misc/home.pdf

"...he clammed up, taking the Fifth, and citing constitutional rights against unwarranted searches.

...border agents told him he had no constitutional nor any legal protections, and threatened him with criminal charges should he not concede to the search.

...he was eventually allowed to leave with his belongings, the devices still locked, and no charges were pressed."

My goodness! I guess those protections did exit after all! :)


-Goons can lie to you all they want. Never budge.

-Politely refuse, and remain cordial. Stay strong mentally.

-Make sure your devices are turned off prior to even leaving for the airport.

This is the sick reality we live in.

Border agents may lie about your rights? Is there no Miranda equivalent for this type of detainment?

There is not.

Customs and Border Patrol operate under a special set of circumstances within ports of entry. You do not have the right to have an attorney present during the interrogation, you can have your personal belongings confiscated, you can be held without charge for up to four hours for any "reasonable" suspicion.

These same rules apply within one hundred miles of the United States border. So if you live near the any ocean, Great Lakes, the Mexican border or Canadian border, you live under a different set of rights than the rest of America.

You forgot "any international airport" on your list of ports of entry used to determine the 100-mile constitution-free zone.

> [100-mile] border zone is home to 65.3 percent of the entire U.S. population, and around 75 percent of the U.S. Hispanic population

Or an international airport. Sorry Denver!

> So if you live near the any ocean, Great Lakes, the Mexican border or Canadian border, you live under a different set of rights than the rest of America.

Interesting. You'd think that "real America" was just a turn of phrase - turns out that it isn't, that there is a Real America and that it does care far more about protecting individual rights.

> there is a Real America and that it does care far more about protecting individual rights

No, there isn't. Civil rights get trampled regularly outside the 100 mile Constitution-free zone too, just under different pretexts.

The border agents are in fact correct. The Supreme court has ruled that US citizens have no constitutional protections against search and seizure or basically anything else on the border of the US: https://www.aclu.org/other/constitution-100-mile-border-zone

Also police are allowed to lie about anything they want during interrogations.

I feel like there's a difference between "lying about the facts of an investigation, including what they know or don't know, during questioning" and "misrepresenting the rights of the accused."

The latter feels like a serious problem that should get rectified.

He was detained, not arrested. Miranda was unnecessary in this case.

> Make sure your devices are turned off prior to even leaving for the airport.

Security may ask you to turn them back on, not to search them, but to verify that they are actual working devices, and not a bomb.

Very good point. The key here is to make sure your devices are all fully encrypted. Feel free to turn them on to prove they are real.

But never decrypt. If this results in you missing your flight, so be it.

> But never decrypt. If this results in you missing your flight, so be it.

Why? Is that more important to stay locked than miss granma's funeral, or more positively, 75th birthday?

That’s what makes this all the more malicious. No one wants to miss a flight, and sometimes the consequences are irreparable. Time is the one resource you can’t recover.

Ultimately it is up to each individual to make this call. As for myself, this is a principle I hold above all else.

That's certainly a problem. My grandfather was a man who was tasked with killing spies, knew three languages, and out of all of this, I cannot even get him to talk about privacy or security. It appears even he was taught just to shut down on it and say nothing; even on your practices. All the while he taught child soldiers to become child assassin's for the US military.

If you're a security person, I suspect his recommendation would be - even though he doesn't understand IT and tech - to say you don't even understand how SSH works or can't tell the difference between encryption and hashing.

Turning them on doesn't reduce the security. The issue is unlocking them.

As far as the security of the data on the device is concerned, a powered-off device is equivalent to a powered-on device that hasn't been unlocked since it was powered on.

Pro tip: on newer iPhones with either Face ID or Touch ID, holding the sleep/wake button and the volume down button for some time puts the device in a mode where Touch/Face ID are disabled, the phone is locked, and the device passcode is required to unlock.

Touch/Face ID are also disabled when you boot the phone, so turning it off is sufficient.

Traveling internationally with encrypted data you don't want to disclose to border officials is not a good plan these days. Much safer to transfer securely via network connection.

It's easy to single out the US but the reality is that most countries have pretty far reaching rules these days. E.g. the UK and Australia are hardly any safer. And forget about China, Russia, or indeed most countries with even less democratic regimes.

The bottom line is that if you are not willing to unlock your device at any of the security checkpoints you will pass on your journey, you should leave it at home or just wipe it preemptively and restore over a secure connection after you arrive. In case it does get unlocked or taken from you, consider the device burned. It may come back to you with all sorts of malware. The people doing this are not thinking you are a terrorist or a child pornographer: you are being targeted and under attack by a hostile entity. Assuming otherwise would be a mistake. Wipe it, sell it on e-bay, never use it again.

Transfering via network is only secure, if you believe that forward security exists for network traffic, which is very likely untrue.

The point being: if your encrypted network traffic is captured and retained, maybe it can still be brute forced at liesure, and deduplicated for deltas only. Thus, volume is only a temporary issue, and everyone still gets to see everything eventually, and full retrospective records are still enriched, so maybe that's fine for some things, and not for others.

This is true regardless of whether you travel internationally. The converse is true as well: traveling internationally does not make it less secure to exchange information. Either way, we are well into tin foil hat territory here but if you do believe this, stop using (networked) computers.

Couldn't you just generate new keys each session and keep forward security?

Interestingly, Russia doesn't do this at all, at least for now.

Maybe they do lead pipe crypto analysis or make an offer you cannot refuse?

Is there a list of all the countries and their practices somewhere?

This assumes that he was not picked by random but instead there is some sort of list of people to check at airports that you can be put on because of your work within IT-security.

That would be a big story if that is the case.

I will offer a counter-narrative which is more in line with my own experience (from other places than the US):

The people who work at border control in particular in airports are bored.

They are also overstaffed and given extreme discretion over the people they patrol; most of whom are non-citizen and thus have basically no rights at all.

This leads to them doing work for the sake of showing they work, overreacting to the least of resistance and maybe even some games of entertainment.

They're likely not stupid enough to have a "list". They have a set of factors and probably tally up some sort of score and search everyone above X. It just so happens that anyone they wanted to put on the list will score X or above. Doing IT security probably gets you a pretty high score just by itself. Add in the fact that he was originally from Eastern Europe and there you are.

I will definitely agree bored cops looking for stuff to do cause a lot of problems.

I don't disagree with you. I just don't think they have detailed information on your profession to the extend that they distinguish a software engineer from a software engineer doing security work.

I think it is obvious that they profile on overall looks, race, citizen status, place of birth, travel patterns.

When I was returning from Hong Kong a few weeks ago, the agent asked what city I was born in (fine) what hospital I was born in (I remember where it used to be, but I can't remember the name) and what the "number" of the county was I grew up in.

What he meant was the prefix for the license plate. Luckily I remembered it. I suspect he grew up in the area, but it was super weird; also, he was probably fairly bored.

>what hospital I was born in

people are expected to know this?

He expected me to, so yes, I guess?

Um, this is definitely the case. DHS has an advanced record keeping system. They have tons of information on every person arriving in the US. Yes they even know what you ordered on your in flight meal.

well, one CBP officer almost sent me to secondary checks because i had two US entry stamps within a week and a half of each other. why? because i went to europe from my own country and both flights (to and from) had layovers in the US.

she said it was absolutely not common (which i doubt very much) and she was concerned i was coming and going because i want to stay (?!?!?!).

Moreover, its interesting that he believes that he was targeted because he said anti-Trump statements. Yet, it doesn't seem to occur to him that: This is what you get when you advocate for "big government".

The downside of having big government is that it winds up being staffed with mad-with-power bureaucrats, who will mess your life up just because.

I miss the time when most techies believed in civil liberties and were wary of government. Chickens coming home to roost and all that...

I was once randomly selected for screening at Chicago Midway, that quickly became shockingly specific: "Do you know that professor at DePaul that teaches Python?" "Do you mean Massimo Di Pierro?" "Yeah, I think that was his name." "I've met him a few times..." At this point it all seems very surreal. "He was through here a few weeks ago and had stickers on his laptop that were like yours." Ooooh...

Haha that is a name I have not seen in a while! I was a student of his at DePaul. Great guy! Massimo is awesome!

I'm hoping that manufactures will start building a plausible deniability user profile you can log into while leaving your actual profile encrypted, appearing to be slack space.

This kind of thuggery seems to be getting more common.

Keep data off your devices during travel, and download it once you're safe. If corporate, require external activation by someone from the company before the contents of your device are restored. That way you cannot be forced to divulge any company trade secrets, because you simply don't have access to them while you're crossing the border.

Even that is not sufficient short of a full factory reset. It can be very difficult to impossible to clear all caches and logs, or even know about them.

Once the agent has your password and takes the device into their back room for an hour, you have to assume that all data has been offloaded and the device has had an undetectable rootkit added.

This gentleman's expertise is in security and encryption and now he works for Apple, a company that makes products that the US government can't always crack. He was clearly targeted in his encounter because of his current position, based on the questions they were asking. Surreptitious access to his devices is highly desirable to US intelligence services.

Any device that you lose physical control of during these encounters must be presumed to be compromised and should be physically destroyed afterwards.

> Any device that you lose physical control of during these encounters must be presumed to be compromised and should be physically destroyed afterwards.

Seems unwise to destroy evidence. Find the rootkit, or have your employer or security researcher do so, prove it's existence, and sue the Government.

But yes, definitely get a new laptop.

I don't think that will go anywhere. How do you prove the government did it and that it wasn't on there before the encounter?

Why do you need proof? Show it to the internet, there should be other examples too.

It's way easier and less legally ambiguous to make people THINK you are rooting their devices than to actually do it and leave actual evidence to be found. They could even be looking for OTHER rootkits instead of installing them.

I suspect there's a lot of availability bias going on here as well - how many travelers go through the US per year versus how many of them are famous ex-CTOs that get reposted on HN?

image the device prior and after; compare images

Some companies issue "China" Laptops to their executives that they must discard after visiting China. Now I believe we all need throw away laptops and cell phones and Facebook accounts for any sort of international travel.

I know that at least one big German chemical company is doing exactly the same for US trips, because they have evidence of industrial espionage attempts against then. Executives that have to go to any non-European country get a clean laptop, with nothing but the VPN client installed and access is only enabled after the traveler has reached the destination and has called and given a verbal "all good". On return the laptop is not connected to the internal network, but wiped clean.

The last company I worked for (quasi-government) would issue special temporary laptops and blackberries for international travel. You were not allowed to take company devices outside the US. At one point they brought someone in from the CIA to basically scare us with stories of how your devices will be targeted at the border, or even by someone breaking into your room when you are not there.

Most countries aren't that invasive, but it's pretty clear that a visit to the US justifies issuing a special "US" laptop now.

I'm actually wondering what happens if I'm ever asked about Facebook credentials when travelling to the US.

Fact is: I don't do Facebook, nor any other Facebook product, so I'm really not able to hand over any such credentials.

Like you I don't do Facebook and I have every Facebook domain blocked. No one except my immediate family believes I don't use Facebook and considers it an affront when I say I don't use it in response to their request "What's your Facebook?" Many people can't imagine anyone doesn't have a Facebook account. Anyone who says they don't is presumed a liar who is socially rejecting them by refusing to connect.

With TSA/Customs you need to be truthful. If you don't have an account say so. If you have one and say you don't that's a felony.

2019 appears to have lots of students who, although always on their phone, a good bunch don't have Facebook and consider it outdated. Instagram is the new Facebook.

Instagram is still Facebook.

As others have mentioned, lying to the agents is illegal. This isn't:

The password to this freshly wiped device is "Orwell1984". Feel free to have a look, but all you'll find is an app called "Secure Erase Free Space". This SD card I'm carrying separately? No, you can't have the password to that. Yes, I know, you can hold it indefinitely.

>No, you can't have the password to that. Yes, I know, you can hold it indefinitely.

I have a hard time believing that an audience that finds buying a car stressful (as is often stated in Tesla threads) is going to demonstrate assertiveness to a real authority...

People on Hacker News are also pretty likely to back ups. Getting your work laptop confiscated by agents will probably only earn you points at work.

There's also a good argument to be made that the search is illegal, it's important that everyone stand up for that, even if its stressful.


The audience here is not uniform. Andreas Gal is definitely in the target audience for HN and was able to stand up to the border agents.

Of course there's a relevant xkcd for that: https://xkcd.com/538/

But that's why relying on a trusted external party, like the company you work for, to control your access to your data, is a much more effective strategy. TSA/Chinese police can threaten and bully you, but not your co-worker in a different country following company policy.

So what if you are asked if your device is in its normal state or whether you deleted any data from your device before travelling?

Lying in that situation would seem like a very bad idea (I'm not a US national) - I've had a few uncomfortable experiences over the years entering the US and I certainly wouldn't want to do anything that would give cause to escalate things on their side.

What do they do if you say no in this situation though? Escort you home and inspect your desktop computer there? If I were to tell them that I carry a travel laptop/phone with no information on, there's little they'd be able to do about it unless that in itself was somehow made a crime.

You can be as honest as you like. Or just say you don't take data with you when you travel. For security reasons. If it's work related, this is trivial to justify: company policy, trade secrets shouldn't fall in the wrong hands, etc. And even if private, phone theft and identity theft are serious concerns.

OK and engaging full blown paranoia mode: What if they ask me to log into gmail and Office 365 (I use both) so they can see what I was trying to hide?

> OK and engaging full blown paranoia mode: What if they ask me to log into gmail and Office 365 ...

Doesn't sound that paranoid to me: wasn't there talk already a year ago about trying to force people to log into social media accounts when crossing the border?

Have a password you can't remember, so it's in your password safe which is not on this device. According to another comment, 1password has a special travel mode that supports this.

I would hope that admitting to deleting data is not admitting to a crime. I delete data all the time (old emails, texts, pictures, etc...)

Say, "yes I wiped it in case it got lost whilst I was travelling"?

yes, I'm not importing that data to the USA?

For anyone who has 1Password, they have built-in support for doing this https://support.1password.com/travel-mode/

Won't this basically end up in the same situation as the one here? You will be detained for a few hours and then released?

He wasn't FORCED to unlock his computer, he was just detained for three hours because he wasn't. Adding technical restrictions won't stop that.

If you show that you cooperate yet you can't provide access to anything (because your phone is empty for example) they may treat you better or - if you're a foreigner - not deny you entry.

A "powerwashed" chromebook functions somewhat like this...

Can they ask for online logins?

Maybe, but you can also hand those over to a trusted party. Would be nice if email services lets you lock your email account until a trusted party unlocks it again.

Why does this make me think of Harry Potter, the Fidelius Charm, and the secret keeper. Is this really what things have to come to?

For a lot of websites (like Facebook), that's a violation of their ToS and I'm not sure they can ask you to break a contract.

What possible interest would the government have in such a rule, and how could government agents possibly be able to know what contracts you've signed? They haven't read the Facebook ToS any more than you or I have.

There was a case recently of a NASA scientist being hassled at the border for his phone. He initially refused on the basis that handing it over would compromise his obligations to his employer. It did not work.


> I'm not sure they can ask you to break a contract.

Are allowed to? Maybe, maybe not. Will do anyway? Probably yes.

I'm certain they're allowed to. If the SEC thinks your employer is committing fraud, and asks you to inform on them, do they care that you have an NDA? Not a chance.

In the US, an NDA can't be used to conceal a crime.

This seems like a good idea, but it may land you in even more trouble. If it can be shown that you intentionally misled officers about content on your device, not merely denied questioning, you risk an obstruction of justice charge.

How about enforcing this by contract to shift the responsibility towards the employer, which presumably has more teeth to defend itself from abuses? Say a clause in every IT worker contract stating that when a LEO asks to unlock any device, a predefined user account must be used to log in. In the OP case, I'd hardly believe they'd send SWAT teams to Cupertino to raid Apple offices.

Contracts, or at least clauses within contracts, which require a party to break the law are not valid.

Yay for getting protection from your local Lord or Knight against the King. Sad if it’s come to this.

At least with iOS, you can do a factory reset before you leave, and restore it after passing through customs, and for legit reasons - you're paranoid about having your device taken from you while travelling, and you don't want thieves to be able to access your contacts, pictures, whatever.

You don't have to specify that you consider customs agents thieves, that's just up to you if you wanna put that lil' spin on it.

(But for real, this seems to me to be a bulletproof way to both make sure TSA can't access data on your device AND make sure you get pulled aside "randomly" for an extra-long questioning session.)

> I'm hoping that manufactures will start building a plausible deniability user profile

Deniable encryption can actually be very dangerous for people who are detained in places where torture is used. Even if you unlock your device, law enforcement have no proof that you have unlocked your real profile[0]. This is relevant to countries where people can be detained for not unlocking their devices, like Australia.

[0]: https://en.wikipedia.org/wiki/Deniable_encryption#Drawbacks

Hence why it needs to be the default. The some sort of problem kinda exists with encryption. If nobody encrypted their phones, having one immediately makes you a suspect. However, if everyone had an encrypted phone (default on ios/android), nobody would bat an eye.

TrueCrypt had hidden volumes with plausible deniability.

Aside: don't use TrueCrypt anymore for other reasons.

Btw, who picked up after TrueCrypt left? VeraCrypt?

You could on Android add a dummy, unprivileged account under your name and rename your real account "Guest" or something. Not that this stops a motivated person, but it may placate a border officer who really just wants to thumb through your photos and downloads folder.

Couldn't you just login to the guess account on a mac? I'm assuming guess accounts cant read any data from the other existing accounts

That will do more harm than good. In order to build such a device the feature would need to be advertised, which TSA can see just like everyone else. Then when they see such a device, it becomes incumbent on you to prove you’re not using the feature, even when you’re not using it. So you can never prove you’re not using it and therefor could be detained. You might think you have more rights if you’re in the US, but there are many regimes where you don’t have them.

Also: https://xkcd.com/538/

Also, such a mechanism necessarily involves lying to law enforcement, which is generally considered a bad idea.


Common mix up, but the agency in question is CBP, not TSA.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact